How to free up disk space, log rotation and syslog redirection on Citrix NetScaler ADC

Managing disk space on your Citrix NetScaler ADC is essential for ensuring high availability and reliable performance, especially as log files can quickly fill critical storage partitions during periods of heavy activity. This blog guide explains how to assess disk usage, allocate extra space, and fine-tune log rotation and syslog redirection to keep your infrastructure secure, compliant, and smooth-running.

Checking Disk Space

Start by auditing your current disk usage. Use these commands on the FreeBSD file system powering NetScaler:

• Command “df -h”: Displays the overall disk usage and available space on the FreeBSD file system.

• The command “du -sh /var/* | sort -nr | grep G”: Checks folder sizes in /var/ and flags those above 1GB. It’s common to see /var/log consuming much of the available space, largely due to event logs generated by active applications

Allocating Additional Disk Space

It is known that the /var/log/ folder contains most log files. And since we would need additional disk space, we have the following 3 options:

1: An ADC VPX with release 13.1 build 21.x and newer, hosted on a hypervisor can be assigned additional disk space. This disk space will appear as another partition again under /var/crash/. If you add additional disk space while the VPX is powered on, it will require a reboot before it is available and ready to be utilized.

As can be observed on the screenshot above, the second partition is automatically assigned to /var/crash/ folder.

2: VPX instance hosted on SDX platform on version 14.1 has the option to assign additional disk space to a VPX instance.

On SDX version 13.1 you will have to increase the ADC’s memory. When you add additional memory, disk space is assigned as second partition that again points to /var/crash/.

Here is a small table of disk allocation of VPX on SDX 13.1:

Log Rotation & Syslog Redirection

3: You can extend the existing partition. While it's technically possible to extend existing partitions, Citrix does not recommend this approach for production environments.

To use this option we have to adjust the log rotation and location after the disk space is allocated as a second partition. There are 2 specific files that contain this configuration:

• /etc/syslog.conf: Controls log location and facility.

• /etc/newsyslog.conf: Manages log rotation schedules

Let’s take a closer look at the syslog configuration. When creating an auditing server, you must choose your log facility value. This will define which log file events the auditing server will receive by the NetScaler ADC. All the values are pre-defined, and you will have to decide which one to use depending on your needs.

These values are stored in “/etc/syslog.conf” file:

In our case we would like to move the ns.log file location. Therefore, we need to adjust the “local0.*” location. After the modification, we are aiming for the log file to reside on the second partition which means that it should be pointing to /var/crash/ folder. We decided to move the “local0.*” location to “/var/crash/log/ns.log”. After modifying the file, it should look like this:

For now, we have adjusted the location of the ns.log files as they are filling the main partition of our NetScaler ADC. Now, let’s take a look at the log rotation settings. The log rotation configuration is present at the “/etc/newsyslog.conf” file:

Again, we are following the ns.log file. In the screenshot, the location of the ns.log file is the old one. We will have to add an additional line that will indicate the log rotation of the location of the ns.log file. You will have to define a couple of values when performing this modification:

• Count: indicates how many gz archives to be kept before overwriting the oldest one. In the case of the configuration above, the “ns.log.24.gz” file will start to be overwritten after reaching the threshold of 25 files.

• Size: this column indicates the size of ns.log file which needs to be reached in order a log rotation to be triggered.

• When: this column indicates on what amount of time the log file rotates in case the log doesn’t reach the size. “D” stands for daily. “W” is for the day of the week, starting “W0” is Sunday, “W3” is Wednesday, “W6” is Saturday. “M” is for monthly. “L” stands for last day of the month. Here are some possibilities with examples:

• D0. - rotate every night at midnight

• D23. - rotate every day at 23:00

• W0D23. - rotate every week on Sunday at 23:00

• W5D22 - rotate every week on Friday at 22:00

• W5. - rotate every week on Friday at midnight

• MLD6. - rotate at the last day of every month at 6:00

• M5. - rotate on every fifth day of the month at midnight

In our case, we will modify only the “count” and “size” columns. We decided to keep 5 files and leave them with the same size: 100 KBs. Here is the modified “newsyslog.conf” file after the reconfiguration needed:

You might notice that we have left the previously located ns.log rotation configuration, however it will not be used as we have already changed the log facility in the first part of the article. As a conclusion, the only line that matters in the current configuration for the ns.log file rotation will be the one that is highlighted in the screenshot.

Normally, we would assume that the applied configuration is persistent. However, there is one last action that needs to be done before it persists after a NetScaler ADC is rebooted. To achieve this, you need to copy the “/etc/syslog.conf” & “/etc/newsyslog.conf” files to the /nsconfig/ folder. During boot, ADC replaces the default /etc/syslog.conf & “/etc/newsyslog.conf” files with /nsconfig/ ones if they are present. In case you have a high-availability setup, you will need to perform the operation on both ADC HA nodes separately.

Optimize your Citrix NetScaler environment with Blubyte’s expert managed services and unlock scalability, compliance, and security with zero guesswork. Reach out for tailored solutions or a free environment audit today!